Journalists use a wide range of online platforms to distribute their work and communicate with sources and audiences. Platforms that allow interaction with others, like social media, wikis that allow collaborative editing, or content hosting services like WordPress and Substack, can all present security issues for you and others in your networks. There are, however, steps you can take to better protect yourself.
Protect your accounts
Turn on two-factor authentication (2FA) for all accounts that allow it. This added layer of security helps prevent unauthorized access by requiring anyone who enters your password to provide a second layer of verification, often a code generated on your phone or a security key you carry with you.
- Use an authenticator app, such as Authy, for 2FA instead of SMS, which is easier to intercept.
- Some platforms notify you of login attempts as a form of 2FA – ensure that this feature is activated on each service you use.
Create long, unique passwords of at least 16 characters. Include numbers, letters, and symbols to make it harder to crack.
- Never repeat your password on different accounts. If someone compromises one password, you can still prevent them from gaining access to others.
- Never use personal information that is easy to discover as your password – such as your date of birth or your pet’s name.
- Use a password manager to create and store passwords.
- Password security is even more important for accounts that don’t offer 2FA.
Learn more about protecting your accounts in CPJ’s Digital Safety Kit.
What you share
Private vs public
Content that you post privately might not be as private as you think. Other people on the platform – or people who work for the company that runs it – may be able to see it. Be mindful of the following:
- Think about who has access to the platform you are using. Can the content be viewed by the public? By other people with an account? Or only people you have explicitly authorized?
- Review privacy settings on each platform you use to check what is public by default. Hide, restrict, or take down content you are uncomfortable having in the public domain.
- Remember that private messages and emails can be accessed by others unless they are end-to-end encrypted – and even those can still be read by someone with access to your device, either in person or by remote hacking.
- Think carefully about what you post before you publish, since it may be permanent. Some platforms archive content even after it is deleted, which government agents can potentially request, and internet archives or other sites may also keep a record.
Personal data
Online platforms collect a lot of data about you that other people, including government officials, can access and use to surveil and harass you.
- Avoid publishing personal information that could be used to locate you, contact you, or verify your identity, such as your date of birth or phone number.
- Avoid publishing personal information that could reveal the identity of others, especially your sources.
- Delete content that you no longer want publicly available or ask the platform to take it down. Services have different procedures – social media platforms allow you to remove some content yourself, while others, such as Google Search, Google Maps, and Wikimedia, accept requests for content to be taken down.
- Be mindful that your internet protocol (IP) address, which links your device to an internet connection, may be visible to website administrators, internet service providers, and others, and can be used to physically locate you.
Images
Images that you post online can give away a lot of information.
- Remove metadata, also known as EXIF data – the information attached to digital photos that reveals when and where they were taken, and with which camera or phone – before posting if possible, and do not upload any more data than is necessary.
- Use generic, neutral profile pictures that don’t reveal your face or location if you have concerns about your safety.
- Be aware that photos you upload may be freely available for others to use under the terms and conditions of some platforms. Avoid uploading images that you do not want others to share or copy, especially if they involve sensitive events such as protests and demonstrations.
Read transparency reports
Tech companies and other organizations release regular transparency reports about the requests they receive from governments to access or remove data, which can help inform your decisions about which services are safe for you to use. Examples include Google, Facebook, Twitter, Wikimedia, and WordPress.